Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid?


"I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards. [...] I don't just throw out shredded documents; I spread the shredded bits into my garden to use as mulch."


"You can't ever find a place that's nice and peaceful, because there isn't any. You may think there is, but once you get there, when you're not looking, somebody'll sneak up and write F*** you right under your nose."
--J. D. Salinger, American Novelist

Something strange happened to me recently: a friend told me I was too paranoid when it comes to security. It was strange because he was the third person to tell me that in a couple weeks. Sure, I expect most people to call me paranoid, but these were all colleagues in the security industry. Is it time to worry when security professionals consider you too paranoid?

Most of my internet traffic goes through at least three firewalls. Is that too paranoid?

The first thing I did was try to understand the word paranoia. After checking a few dictionaries I found that it was a psychotic disorder characterized by delusions of persecution, grandeur, or excessive distrust. What is a delusion? It's a false belief held despite evidence to the contrary.

Are extreme security measures acting on false threats that don't really exist? Some consider some of my security strategies a bit extreme. I call it meticulous precaution. Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter? Does the threat have to be real to warrant strong security?

Sometimes I have a "Password Day" where I change every password I own on the same day, just in case someone might happen to have one of my passwords. I frequently change my passwords after traveling.

Its not that I think someone is trying to hack me, but I also don't think someone is not trying to hack me. That's really not the point. There's no need to analyze the threat of every situation. Just practice strong security always and you should be okay.

I frequently see people posting PGP signed e-mails to security mailing lists. It's not that these people are afraid of someone actually spoofing fake comments from them on the latest CGI flaw; they just make it a practice to sign every e-mail, no matter how trivial it might be. Sure, these people are signing e-mails when it's really not important, but I doubt they get caught not signing when it is important. If you always practice the best security, you never have to worry about mediocre security.

I use very long passwords for everything, even with the lamest accounts I have. I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards. No one else, not even my wife, knows my network password.

I don't just throw out shredded documents; I spread the shredded bits into my garden to use as mulch.

I don't do it because I think someone is going to go through my trash to reassemble bits of my research notes. I do it because it's good security. I try to run my own network the same way I tell my clients to.

Is this prudent and sensible proactive security or is it mental illness? Do you need a threat to practice the defense? I used to tell my clients to set files in their web content directories to read only. Some thought this was too extreme and too much of a hassle, but then along came a worm named Code Red that failed on all the clients who followed my advice.

I use a unique, secret e-mail address for each sensitive online account I have. I have always done that. I guess this would look paranoid to most people, but when I get e-mails from my bank, I can check the address the e-mail address they used to see if they sent it to the secret address.

Of all the changes Microsoft has made towards security in the last few years, the most notable in my opinion is that they now secure against threats that to many seem minor or that might not even exist. Is it insane and delusional for them to protect themselves from threats that haven't even been invented yet? Is it a senseless preoccupation to defend the inner layers rather than just focusing on hardening the outside?

I keep my PC's turned around so I can tell if anyone has installed a hardware keylogger.

I never check in luggage when I fly.

I do my Internet browsing from a locked down VMWare box that has no rights on my network.

I use terrafly.com to see what others might be able to see about my home.

It takes five passwords to boot up my laptop and check my e-mail.

One of those passwords is over 50 characters long.

I also delete unused services on my servers. I block unused ports. And I install hotfixes the day Microsoft releases them.

Henry Kissinger said that "Even a paranoid can have enemies." The fact is that we don't know all the current and future threats so we might as well treat everything as high security. I do, but then perhaps I'm just paranoid.

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the
Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.